🕵🏻‍♂️ [InfoSec MASHUP] 15/2025

🔓 BREACHES & SECURITY INCIDENTS

🇲🇦 Hackers breached Morocco's social security database, stealing personal information and leaking it on Telegram. The attack is believed to be linked to rising tensions between Morocco and Algeria, with accusations of cyberwarfare between the two countries. Sensitive information was included in the leak, highlighting issues like salary inequalities in Morocco.

🇪🇺 The Fourlis Group, which operates IKEA stores in Eastern Europe, lost about $23 million due to a ransomware attack just before Black Friday in November 2024. The attack disrupted IKEA's operations and online sales, but the company did not pay the ransom and restored its systems with outside help. No evidence of data theft was found, and the authorities were notified as required.

🇺🇸 A data breach at Laboratory Services Cooperative (LSC) has affected 1.6 million people, compromising their personal and medical information. The stolen data includes names, Social Security numbers, health details, and financial information. LSC is providing affected individuals with free credit monitoring and has not found evidence of the stolen data being shared on the dark web.

🇺🇸 The U.S. Treasury's Office of the Comptroller of the Currency (OCC) reported a significant email hack that compromised around 150,000 emails, including sensitive financial information. The breach involved 103 email accounts and was discovered on February 12, 2025, after unusual activity was noticed. It is still unclear who was behind the attack or if it is linked to previous threats against other Treasury departments.

🇺🇸 A vulnerability in the Verizon Call Filter app could have exposed the call records of millions of Americans. The flaw allowed attackers to request incoming call data using any phone number, potentially affecting many Verizon customers. Verizon has since patched the issue and confirmed that it takes security seriously.

🇺🇸 WK Kellogg Co has reported a data breach linked to the Clop ransomware gang, which stole employee data during a cyber attack on the Cleo file transfer software in December 2024. The breach exposed personal information, including names and social security numbers, prompting Kellogg to offer affected individuals free identity monitoring services. The company is working with Cleo to enhance security measures and prevent future incidents.

🚙 A hacker breached Europcar's GitLab repositories, stealing source code and personal information of up to 200,000 customers. They threatened to release 37GB of data, including backups and sensitive company details. Europcar is currently assessing the damage and notifying impacted customers, while confirming that more sensitive data like bank details was not exposed.

🇺🇸 The Port of Seattle announced that 90,000 people had their personal information compromised in a ransomware attack that occurred on August 24, 2024. The attack affected systems at the Seattle-Tacoma International Airport and involved the Rhysida group, which demanded a $6 million ransom. The Port is offering one year of free credit monitoring to those impacted and assures that airport safety and operations were not compromised.

🇺🇸 The State Bar of Texas experienced a ransomware attack that compromised personal information of over 2,700 individuals. They are notifying those affected and offering free identity theft monitoring services. The stolen data includes sensitive information like Social Security numbers and financial details, but there is no evidence of fraud so far.

🔗 Partners and Affiliates

🔐 NordVPN Spring Campaign 🌷 (March 19 — May 19)

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: up to 77% off + 3 extra months on selected 2-year plans.

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇷🇺 Gamaredon, a Russian hacking group, have shifted from Visual Basic Script to PowerShell tools to enhance their stealth and evade detection. Their recent attacks involve malicious removable drives that spread malware, highlighting the need for stronger cybersecurity defenses.

🇪🇺 Law enforcement has detained at least five customers of the Smokeloader malware as part of Operation Endgame, which targets cybercriminals. The operation has seized over 100 servers linked to various malware activities and is ongoing, with authorities analyzing data to track more suspects. Europol encourages the public to report any information related to the investigation through their dedicated website.

🇺🇸 ⚖️ Noah Urban, a 20-year-old from Florida, has pleaded guilty to charges related to the cybercrime group Scattered Spider, which is known for phishing attacks and ransomware. He faces charges of wire fraud and identity theft and has agreed to pay $13 million to victims. Urban was initially not guilty but changed his plea as part of a deal with authorities.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests. Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇨🇳 🇺🇸 China Admitted to Volt Typhoon Cyberattacks on U.S. Critical Infrastructure, during a secret meeting with American officials in December. The attacks aimed to intimidate the U.S. regarding its support for Taiwan and targeted critical sectors like communications and energy.

🇺🇸 👀 A panel of U.S. judges expressed skepticism about NSO Group's arguments to dismiss a case filed by El Salvadoran journalists over alleged phone hacking. The judges questioned where the misconduct occurred, noting connections to California due to Apple servers. Tech companies, including Microsoft and Google, supported the journalists, emphasizing the importance of cybersecurity.

🇳🇱 The Dutch government plans to screen university students and researchers who access sensitive technology to prevent espionage. About 8,000 people will be vetted each year, but it's unclear who will conduct these assessments. This initiative comes amid growing concerns about foreign espionage, particularly from countries like China.

🇬🇧 🍎 A U.K. court has ruled that details of a surveillance order against Apple must be made public, despite the government's objections. This case involves a demand for Apple to allow access to encrypted customer data from anywhere in the world. Privacy advocates and lawmakers are calling for transparency in the hearings related to this legal demand.

🇺🇸 President Trump has fired General Timothy Haugh from his position at Cyber Command and the NSA. This decision comes amid ongoing changes in leadership. The move raises questions about the future direction of U.S. cyber operations.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🤖 A new Python framework called AkiraBot has spammed over 80,000 websites by sending AI-generated messages through contact forms and chat widgets. It can bypass CAPTCHA filters and uses OpenAI services to create unique messages for each targeted site. AkiraBot has been active since September 2024, evolving to target various website platforms like Shopify, GoDaddy, and Wix.

🙀 A vulnerability in ESET products was exploited by an advanced group called ToddyCat to load stealthy malware. This flaw, known as CVE-2024-11859, allowed attackers with administrative access to execute harmful code by hijacking DLL libraries. ESET has issued fixes for this issue and advises users to update their software.

🕸️ There has been a sharp increase in attacks on TVT NVMS9000 DVRs, with over 2,500 unique IPs attempting to exploit a security flaw. This vulnerability allows attackers to bypass authentication and control the devices using Mirai-based malware. Users are advised to update their firmware or restrict internet access to protect against these threats.

🎣 The 'PoisonSeed' phishing campaign targets cryptocurrency users by sending emails with fake seed phrases from compromised corporate email accounts. Attackers trick victims into transferring their assets into wallets they control, allowing them to steal the funds. Users should never use seed phrases provided by emails and should independently verify any urgent requests from cryptocurrency platforms.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🛠️ Xanthorox AI is a new malicious tool designed for cybercrime, boasting advanced capabilities for hacking and exploitation. It operates on a self-contained system with multiple models for tasks like code generation and data analysis, making it difficult to detect.

🇺🇸 The U.S. Department of Justice has disbanded its National Cryptocurrency Enforcement Unit, which was focused on crypto-related investigations. Deputy Attorney General Todd Blanche stated that the DOJ will no longer regulate digital assets and will instead focus on prosecuting individuals who harm investors. This move aligns with Trump’s efforts to loosen regulations on the crypto industry.

🔗 Partners and Affiliates

⚡️ Unlock Your Peak Performance – First Month FREE!

Optimize your sleep, recovery, and performance with WHOOP. Perfect for cybersecurity pros who need to stay focused and ahead of the threat. Try it out, get a free WHOOP 4.0 and one month free.

🪳 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Adobe Patches 11 Critical ColdFusion Flaws Amid 30 Total Vulnerabilities Discovered

• Amazon EC2 SSM Agent Flaw Patched After Privilege Escalation via Path Traversal

• Android Update Patches Two Exploited Vulnerabilities

• Fortinet Urges FortiSwitch Upgrades to Patch Critical Admin Password Change Flaw

• Juniper Networks Patches Dozens of Junos Vulnerabilities

• Microsoft has fixed 126 vulnerabilities

• SAP Patches Critical Code Injection Vulnerabilities

• SonicWall Patches High-Severity Vulnerability in NetExtender

• Patch Tuesday, April 2025 Edition

🧩 A researcher found over 35 suspicious Chrome extensions in the Chrome Web Store, which have been installed on more than 4 million devices. These extensions request extensive permissions, allowing them to access sensitive data and manipulate web traffic. Such permissions can enable harmful actions, making it crucial to only trust extensions that genuinely need them.

💥 Rapid7 has revealed a serious remote code execution vulnerability in Ivanti's Connect Secure VPN appliances, urging organizations to apply patches immediately. This flaw was previously misdiagnosed by Ivanti and exploited by a Chinese hacking group before it was publicly acknowledged. Customers are advised to update to the latest version and check for signs of attacks on their systems.

🚗 Researchers found vulnerabilities in the Nissan Leaf electric vehicle that allow hackers to remotely spy on the car and take control of its functions. By exploiting the infotainment system's Bluetooth, they could track the owner's location and manipulate features like the steering wheel and doors. Nissan is aware of these issues and is working on security improvements.

🎠 Microsoft reported that a recently fixed security flaw in Windows was exploited to launch ransomware attacks on various organizations. The attacks used a trojan called PipeMagic, which helps deliver the exploit and ransomware payloads. Microsoft is monitoring these activities, which involve stealing user credentials and encrypting files on infected systems.

🗒️ NIST will mark all CVEs published before January 1, 2018, as 'Deferred' in the National Vulnerability Database. This change means they will not prioritize updates for these older vulnerabilities unless they are in the CISA's Known Exploited Vulnerabilities catalog. NIST is facing a growing backlog of CVEs and is exploring new systems and AI to improve its processing efficiency.

💬 A recent update to the WhatsApp desktop app for Windows fixed a vulnerability that could allow attackers to run malicious code on users' devices. The issue, tracked as CVE-2025-30401, involved tricking users into opening harmful files disguised as safe ones. Although there are no reports of this vulnerability being exploited yet, WhatsApp remains a prime target for cyber attacks.

🇵🇱 Annual report from the actions of CERT Polska 2024: CERT Polska had a record-breaking year in 2024, focusing on online safety and analyzing cyber threats. The report highlights their tools for cybersecurity, partnerships, and educational initiatives, including a new reporting channel. It emphasizes the importance of awareness and knowledge in combating cybercrime.

🛰️ ICS, OT & IoT

🩹 ICS Patch Tuesday: Major industrial companies like Siemens, Schneider Electric, Rockwell Automation, and ABB released security advisories for critical vulnerabilities in their products this March. Siemens urged customers to replace an outdated device due to serious security flaws and reported issues in several other products. Schneider Electric and Rockwell also addressed vulnerabilities that could allow unauthorized access or remote code execution, while ABB highlighted risks in third-party components.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.